Job Interview

Had my third phone interview with a company yesterday for a Full Stack Developer role. Never thought my security experience and CISSP would be a detriment to getting hired. The interviewer noticed my CISSP and security experience on my resume and asked me if I was willing to put security aside in the name of building and deploying fast to production. The person I was talking with was one of the CIOs and heading up the new project. I explained that perhaps adding in security from the beginning would save time in the long run and not expose them to possible breaches and rework. Nope, they were going to bolt on security afterward. Got the rejection two hours later.

I honestly wish them luck because they are going to need it. Lots of it.

Re: Job Interview

@JohnC I think you dodge a bullet there John. Either that or they were testing you to see if you would say that leaving security out of it was okay. Have you had any feedback from the company/agency?The job was not meant to be. There are plenty nmore out there with your name on. Good luck with the search.

Re: Job Interview

The interviewer noticed my CISSP and security experience on my resume and asked me if I was willing to put security aside in the name of building and deploying fast to production. The person I was talking with was one of the CIOs and heading up the new project.

Sorry, one of the CIOs?

As others have pointed out, you have had a fortunate escape. Yes, it is disheartening to lose a job (prospect), but it would have been possibly much worse to lose your soul by working for these clowns.

Over the years I have come to disregard most of the "advice" on how to handle job interviews. Best to be honest. If they are that stupid (and remember George Carlin's advice to consider how stupid the average person is--and then to recall that half of them are dumber than that) then it would be painful working for them.

I honestly wish them luck because they are going to need it. Lots of it.

And you are lucky not to be involved ...

............This message may or may not be governed by the terms ofhttp://www.noticebored.com/html/cisspforumfaq.html#Friday orhttps://blogs.securiteam.com/index.php/archives/1468

Re: Job Interview

It's as likely a 'need to find excuses' to exclude a candidate. For some reason many companies find it necessay to manufacture a reason; like being 'too security', being 'overqualified', 'not a good cultural fit' etc And then some people have forgotten or never bother to think that security is generally a facilitator of many service, rather than the converse. Where would the www be without SSL/TLS?

Re: Job Interview

The key bit here is maybe that he posed the question as an either or, but it doesn't have to be.

My response would be 'If we have a risk, I'm more likley to be able to identify, understand and escalate that risk (quickly & efficiently) to my line manager with a clear picture of the potential consiquences, It would then be the leaderships desicion as to whether the risk is prohibative and needs aditional controls, or is within the risk appatite of the company'

An understanding that controls have costs, that to understand if it's worth securing you need to know the cost and the value, is imho one of the core teachings of CISSP.

Re: Job Interview

Sounds like the interviewer never heard of SecDevOps. A DevOps approach focusing on IaC and SaC, has a good potential to improve overall security posture and respond to vulnerabilities quickly. So it's simply not a case of speed or security, but speed with security.

Social Media

All contents of this site constitute the property of (ISC)², Inc. and may not be copied, reproduced or distributed without prior written permission. (ISC)², CISSP, SSCP, CCSP, CAP, CSSLP, HCISPP, CISSP-ISSAP, CISSP-ISSEP, CISSP-ISSMP and CBK are registered certification marks of (ISC)², Inc.